+1 Out of the box firewall your input chain (or equivalent) appropriately, disable any unused services and lock down the ones that are used as a minimum. Shane On 23/4/18, 10:03 pm, "Public on behalf of James Hodgkinson" <public-bounces@talk.mikrotik.com.au on behalf of yaleman@ricetek.net> wrote: Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel. I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet. James On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote: > Damn! > > Just saw that too - just when we were talking about unknown unknowns too :-l > > More reasons to protect those admin interfaces! :-o > > Cheers, Mike. > > > -----Original Message----- > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > Shane Clay > > Sent: Monday, 23 April 2018 10:00 PM > > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > > > Posted by Mikrotik on their forums today... > > This is probably what you are seeing and why it didn't require a "brute force": > > > > https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 > > > > Shane > > > > > > > > On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- > > bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote: > > > > I have a burn-in box - running 6.42 that I neglected to block 8291 on. > > > > My logs show a single failed auth attempt and 1 second later a successful > > log in. > > > > After that they disabled all the firewall rules, all service ports (except > > winbox) and then uploaded some files. > > > > This is definitely something different than a brute force... > > > > > On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > > > > > Hi Tim, thanks for posting! > > > > > > MikroTik themselves made an official announcement about it a few > > weeks back, > > > and there has been much discussion about it (even in this list I think?) > > > > > > To be honest, I'm amazed that RouterOS has been able to remain > > inconspicuous > > > for so long and why this has not happened before now is a total mystery > > to > > > me ;-) I regularly present MTCNA certification training a couple of times a > > > year, and when we get to the topic about securing routerOS admin > > interfaces > > > I always make a point of talking about how leaving port 22 open give a > > > literally 100% chance of taking brute force crack attempts within hours > > (or > > > minutes!) of the router getting a public address. In the same breath, I > > > also mention that it is only a matter of time that those crack attempts > > > start attempting 'admin/blank' blank credentials too - now I can say it is > > > already happening! ;-) > > > > > > There are two points worth noting about this recent activity: > > > > > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > > > has been widely reported recently > > > 2) it is here to stay - so YES, lock down the ports (should always be doing > > > it anyway ;) > > > > > > Cheers! > > > > > > Mike. > > > > > >> -----Original Message----- > > >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf > > Of > > >> Timothy Neilen > > >> Sent: Monday, 23 April 2018 4:19 PM > > >> To: public@talk.mikrotik.com.au > > >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > >> > > >> A colleague passed this one to me from the Mikrotik forums > > >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). > > >> > > >> Might be an idea to block access to 20, 80, 8291 externally unless from > > >> trusted sources if you don't already. > > >> > > >> > > >> TN > > >> > > >> > > >> > > >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 > > >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | > > >> www.answersit.com.au > > >> _______________________________________________ > > >> Public mailing list > > >> Public@talk.mikrotik.com.au > > >> > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au